Home > Articles > Cisco Network Technology > General Networking > Online Security: A Quest to Be One Step Ahead of the Bad Guys

Online Security: A Quest to Be One Step Ahead of the Bad Guys

  • Article is provided courtesy of Cisco Press.
  • Date: May 29, 2009.

Contents

  1. Online Security: A Quest to Be One Step Ahead of the Bad Guys

Article Description

Linda Leung interviews security expert Jamey Heary, author of Cisco NAC Appliance: Enforcing Host Security with Clean Access, about network security and the world of "white hats" versus "black hats."

Jamey Heary became involved in security in the mid-1990s when his employer, an equity trading firm, became the first in the industry to introduce Wi-Fi to the trading pit. Wireless security was in its infancy back then, and the company commonly saw other firms on the trading floor jumping on the network—often unwittingly—and spreading worms and viruses. That ushered in the beginning of his career doing battle with computer viruses and online hackers. Heary is now a security consulting systems engineer at Cisco Systems, where he leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. He is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access, and is a regular security blogger for Network World. I spoke with Heary about how far companies have come in securing their networks, why some hackers are so successful, and whether we will ever be one step ahead of the bad guys.

Why are some hackers so successful? Or perhaps the question should be, why are people gullible enough to fall for hackers' traps?

People think about using computers as tools, as opposed to something that could be vulnerable, especially if the [user] company doesn't specialize in technology. Doctors want technology to make their jobs easier. If you give doctors a tablet PC, they don't want to log in 15 times a day—they want to stay logged in all the time. They don't want a screensaver to come up. I look at my parents, and they're not computer savvy; every time I go home I have to clean their machine up.

Aren't the consumer security packages enough?

Antivirus packages today offer around 40% protection; the other 60% [of threats] they let in. Most people don't realize that. The reality is, for today's types of attacks you need antivirus, you need anti-spyware, you need malware protection—they all do different jobs. If you click on a web link that has cross-site scripting, that's normal behavior, and an antivirus is not going to be looking at that part of the operating system at all. [The script] then downloads a file, and that file can be named anything; they are polymorphic—something that can change its appearance on the fly. One demo I like to do is to bring up a virus—the "I love you" virus, which made a big splash in 2000—a nine-year-old virus. I launch it, open it in Notepad, move some stuff around, recompile it, launch it again—and the user can't see it. That's all it takes to take a nine-year-old virus and get it out of view. So that's why antivirus only offers 40% protection.

What are the most common security mistakes that companies make?

The internal networks are basically wide open, and there is a lot of trust between machines. The mentality is to think that the outside is protected and the inside is trusted, but the annual Computer Security Institute/FBI survey always shows that internal vulnerabilities are one of the top concerns. It's like the inside of your house—you don't worry about your employees. When admins set up the machines, they don't think about whether the machine talks to the Internet, but social engineering attacks enable anyone to go inside. You get into one box, and you get inside the whole place.

If you had a badge on, nobody would know [you were an attacker]. You'd say you were an electrician, and people would let you in the data center. We have a local hacker group, and one of the guys said, "I need to develop an application that would allow me to print badges wherever I am." He had 2,200 different badges from different companies. Any badge you want, and he could print it out.

At the external perimeter, I would leave it alone; that's about as secure as it's going to get—assuming you're going to get hacked anyway. But internal is complete chaos.

It seems a lot of successful attacks, such as phishing, use social engineering. As a security professional, it seems that you'd need a degree in psychology to help you understand the mind of a hacker.

I happen to have a psychology degree—I have a degree in computer science and a degree in psychology. I love psychology, as it teaches you how the human brain thinks, and that has helped tremendously [in my work]. If you can solve the social engineering aspect of hacking—boy, would you be way more secure.

How are you teaching your customers about being wise to social engineering by hackers?

Being a vendor, you need to talk to customers in a way that is personal for them. If they've had an outbreak, that would last two weeks and it would go away, and they would forget about it. You have to make it personal so they won't forget it. If you hack into the CXO's computer, that makes it personal.

I coach my customers to hack their networks. I've had customers do everything. A hospital customer told me that their physical locks are usually open and their warehouses are full of protected health information—social security numbers, medical records, and sometimes credit card records. I said, "Why don't you make it personal, and go and take some?" They social-engineered their way in there with ease—someone even opened the door for them. They took a box of data and left it under the desk of the CTO, who came in the next day and saw file after file after file of protected health information.

Do you think we could ever be one step ahead of the bad guys?

Nope. You'd have to change so many things, including the social engineering aspect, in such a dramatic way that I don't think it would happen. You'd have to come up with a way to maintain secure code and to maintain complexity. But with the social engineering aspect, [we're not going to be ahead] for the next 50 years.

Can the blame be apportioned to developers, as security may not be top-of-mind when they're developing software?

For sure. Microsoft is pooling millions of dollars to make its code secure, relying on coding practices and expensive testing tools that pick up on vulnerabilities. But even with all that, you still see bugs in Microsoft Windows 2008. They're a smart company and they still can't get it right. With the poster child, Apple, the Mac has not been a target—but that doesn't mean it's more secure. But now that Macs have a 9% market share, they're starting to become a target, and you're seeing Apple come out with security packages.

Which hacker do you most admire?

Joanna Rutkowska, because the things she's doing are very cutting-edge. The big thing she is focused on is hacking into virtual machines. Virtualization is being developed without a thought to security. It's the worst security risk ever. Companies are putting VMware on servers, loading into one box up to 10, 15, 20 servers that used to be separate. If you can hack into the hypervisor, you own all the servers. You get into that box, and you get into all the boxes in the virtualized network. The servers are in a matrix and they only hear the hypervisor. Rutkowska has hacked into virtual machines—an open source virtual machine that is used by some of my big customers. She's put a blue pill [a rootkit that allows potentially malicious code to covertly take control] on a hypervisor to hack into the host hypervisor. She's published the source code.

Rutkowska is a white-hat hacker who has hacked into virtual machines. Have black hats hacked into them?

You wouldn't know if a black-hat hacker has done it. How would you detect their presence? You can't. Other researchers have tried to dispel this [idea that VMs are safe]. Virtual machines aren't super-vulnerable, but they are hackable.

Is it ethical for hackers to publish source codes of attacks or vulnerabilities?

Time and again we see security researchers find vulnerabilities and give vendors notice, and the vendors don't do anything about it. So what do the hackers do? Do they post the source code, or do they give the vendor time to fix it? It's de facto that vendors don't do anything about it, or it takes months for them to develop fixes, unless there is a massive influx of exploits.

Why does it take vendors take so long to come out with a fix?

It depends on the severity of the vulnerability. They've got to deal with the big fish first. But if you read some of the hot-fix write-ups, several of them are given low severity, but then you read that the vulnerability enables a hacker to gain admin privileges. The vendor has given it a low severity because the likelihood of an exploit happening is low, but that doesn't correlate with the damage it could do.

Linda Leung is an independent writer and editor in California. Reach her at leungllh@gmail.com.

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020